---
apiVersion: "api.cerbos.dev/v1"
variables:
  same_geography: request.resource.attr.geography == request.principal.attr.geography
derivedRoles:
  name: {{ .NameMod "beta" }}
  definitions:
    - name: any_employee
      parentRoles: ["employee"]

    - name: direct_manager
      parentRoles: ["manager"]
      condition:
        match:
          all:
            of:
              - expr: V.same_geography
              - expr: request.resource.attr.geography == request.principal.attr.managed_geographies
